httpd-bugs mailing list archives

DO NOT REPLY [Bug 21787] - LDAP authentication failure does not recover properly

Date

Tue, 14 Oct 2003 04:14:05 GMT

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787
LDAP authentication failure does not recover properly
schwoerb@uww.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |schwoerb@uww.edu
OS/Version|Other |All
Platform|PC |All
------- Additional Comments From schwoerb@uww.edu 2003-10-14 04:14 -------
We have also experienced the same problem. The listed change from above does
work at least for 2.0.47 on Windows 2003 against AD on 2003. After
investigating this problem further I also come to the conclusion that the
problem does occur because in the util_ldap_cache_checkuserid function
(util_ldap.c) it is using an existing connection for the simple bind (line 874)
and then allowing reuse of this connection (good or bad credentials).
IMO after determining the credential pair doesn't exist in cache and getting
the dn using the binddn+bindpw search, a new connection should be created to
check the users credentials. After this has completed successfully or
unsuccessfully this connection should be destroyed leaving the other connection
untouched. This allows for the binddn+bindpw pair to be used for the searches
and compares. This is also needed because in some environments the last
authenticated user might not have the access to search for all users, while the
binddn user should.
I would take a shot at coding this, but I am not good with memory cleanup.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org